Collaborative software application static vulnerability detection
Abstract
Techniques for collaborative detection of software application static vulnerabilities are disclosed. Print statements are injected into the source code for a software application for each of its inputs and outputs. Vulnerability findings are obtained from two or more static analysis tools run against the modified source code. A determination is made that a first static analysis tool reports that tainted data can flow from an input of a function to a return value of the function and it is determined that the second static analysis tool reports that tainted data can flow into the input of the function and that tainted data cannot flow to the return value based on the vulnerability findings. The injection-modified source code is modified to include an assignment of the input to the output to obtain stitch-modified source code. Then vulnerability findings are obtained for the stitch-modified source code and they include new findings.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A computer system, comprising:
one or more processors;
one or more machine-readable medium coupled to the one or more processors and storing computer program code comprising sets instructions executable by the one or more processors to:
obtain source code for a software application, the source code including a plurality of functions having one or more inputs and one or more outputs;
inject print statements into the source code for each of the one or more inputs and the one or more outputs to obtain injection-modified source code;
obtain two or more sets of first vulnerability findings from two or more respective static analysis tools run against the injection-modified source code, the static analysis tools including a first static analysis tool and a second static analysis tool;
determine that the first static analysis tool reports that tainted data can flow from an input of a function to a return value of the function based on a first set of the first vulnerability findings from the first static analysis tool;
determine that the second static analysis tool reports that tainted data can flow into the input of the function and that tainted data cannot flow to the return value based on a second set of the first vulnerability findings from the second static analysis tool;
modify the injection-modified source code to include an assignment of the input to the output to obtain stitch-modified source code; and
obtain two or more sets of second vulnerability findings from the two or more respective static analysis tools run against the stitch-modified source code, the two or more sets of second vulnerability findings including new vulnerability findings not in the two or more sets of first vulnerability findings.
2. The computer system of claim 1 , wherein the computer program code further comprises sets of instructions executable by the one or more processors to:
obtain two or more sets of original vulnerability findings from the two or more respective static analysis tools run against the source code prior to modification; and
compare the two or more sets of second vulnerability findings to the two or more sets of original vulnerability findings to identify a set of new findings.
3. The computer system of claim 1 , wherein the assignment of the input to the output is conditional on a random value generator.
4. The computer system of claim 1 , wherein the assignment of the input to the output is positioned in the injection-modified source code after the function.
5. The computer system of claim 1 , wherein the computer program code further comprises sets of instructions executable by the one or more processors to:
remove corresponding print statements when modifying the injection-modified source code to include an assignment of the input to the output.
6. The computer system of claim 1 , wherein the computer program code further comprises sets of instructions executable by the one or more processors to:
remove print statements correspond to an output when all print statements for corresponding inputs are removed.
7. The computer system of claim 1 , wherein the source code is in a PHP Hypertext Preprocessor language and the print statements are echo operations.
8. A non-transitory computer-readable medium storing computer program code comprising sets of instructions to:
obtain source code for a software application, the source code including a plurality of functions having one or more inputs and one or more outputs;
inject print statements into the source code for each of the one or more inputs and the one or more outputs to obtain injection-modified source code;
obtain two or more sets of first vulnerability findings from two or more respective static analysis tools run against the injection-modified source code, the static analysis tools including a first static analysis tool and a second static analysis tool;
determine that the first static analysis tool reports that tainted data can flow from an input of a function to a return value of the function based on a first set of the first vulnerability findings from the first static analysis tool;
determine that the second static analysis tool reports that tainted data can flow into the input of the function and that tainted data cannot flow to the return value based on a second set of the first vulnerability findings from the second static analysis tool;
modify the injection-modified source code to include an assignment of the input to the output to obtain stitch-modified source code; and
obtain two or more sets of second vulnerability findings from the two or more respective static analysis tools run against the stitch-modified source code, the two or more sets of second vulnerability findings including new vulnerability findings not in the two or more sets of first vulnerability findings.
9. The non-transitory computer-readable medium of claim 8 , wherein the computer program code further comprises sets of instructions to:
obtain two or more sets of original vulnerability findings from the two or more respective static analysis tools run against the source code prior to modification; and
compare the two or more sets of second vulnerability findings to the two or more sets of original vulnerability findings to identify a set of new findings.
10. The non-transitory computer-readable medium of claim 8 , wherein the assignment of the input to the output is conditional on a random value generator.
11. The non-transitory computer-readable medium of claim 8 , wherein the assignment of the input to the output is positioned in the injection-modified source code after the function.
12. The non-transitory computer-readable medium of claim 8 , wherein the computer program code further comprises sets of instructions to:
remove corresponding print statements when modifying the injection-modified source code to include an assignment of the input to the output.
13. The non-transitory computer-readable medium of claim 8 , wherein the computer program code further comprises sets of instructions to:
remove print statements correspond to an output when all print statements for corresponding inputs are removed.
14. The non-transitory computer-readable medium of claim 8 , wherein the source code is in a PHP Hypertext Preprocessor language and the print statements are echo operations.
15. A computer-implemented method, comprising:
obtaining source code for a software application, the source code including a plurality of functions having one or more inputs and one or more outputs;
injecting print statements into the source code for each of the one or more inputs and the one or more outputs to obtain injection-modified source code;
obtaining two or more sets of first vulnerability findings from two or more respective static analysis tools run against the injection-modified source code, the static analysis tools including a first static analysis tool and a second static analysis tool;
determining that the first static analysis tool reports that tainted data can flow from an input of a function to a return value of the function based on a first set of the first vulnerability findings from the first static analysis tool;
determining that the second static analysis tool reports that tainted data can flow into the input of the function and that tainted data cannot flow to the return value based on a second set of the first vulnerability findings from the second static analysis tool;
modifying the injection-modified source code to include an assignment of the input to the output to obtain stitch-modified source code; and
obtaining two or more sets of second vulnerability findings from the two or more respective static analysis tools run against the stitch-modified source code, the two or more sets of second vulnerability findings including new vulnerability findings not in the two or more sets of first vulnerability findings.
16. The computer-implemented method of claim 15 , further comprising:
obtaining two or more sets of original vulnerability findings from the two or more respective static analysis tools run against the source code prior to modification; and
comparing the two or more sets of second vulnerability findings to the two or more sets of original vulnerability findings to identify a set of new findings.
17. The computer-implemented method of claim 15 , wherein the assignment of the input to the output is conditional on a random value generator.
18. The computer-implemented method of claim 15 , wherein the assignment of the input to the output is positioned in the injection-modified source code after the function.
19. The computer-implemented method of claim 15 , further comprising:
removing corresponding print statements when modifying the injection-modified source code to include an assignment of the input to the output.
20. The computer-implemented method of claim 15 , further comprising:
removing print statements correspond to an output when all print statements for corresponding inputs are removed.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.